Ensure that System Accounts Do Not Run a Shell Upon Login
An XCCDF Rule
Description
Some accounts are not associated with a human user of the system, and exist to perform some
administrative functions. Should an attacker be able to log into these accounts, they should
not be granted access to a shell.
The login shell for each local account is stored in the last field of each line in
/etc/passwd
. System accounts are those user accounts with a user ID less than
1000
. The user ID is stored in the third field. If any system account
other than root
has a login shell, disable it with the command:
$ sudo usermod -s /sbin/nologin account
warning alert: Functionality Warning
Do not perform the steps in this section on the root account. Doing so might cause the
system to become inaccessible.
Rationale
Ensuring shells are not given to system accounts upon login makes it more difficult for attackers to make use of system accounts.
- ID
- xccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts
- Severity
- Medium
- References
- Updated
Remediation - Shell Script
readarray -t systemaccounts < <(awk -F: '($3 < 1000 && $3 != root \
&& $7 != "\/sbin\/shutdown" && $7 != "\/sbin\/halt" && $7 != "\/bin\/sync") \
{ print $1 }' /etc/passwd)
for systemaccount in "${systemaccounts[@]}"; do
Remediation - Ansible
- name: Ensure that System Accounts Do Not Run a Shell Upon Login - Get All Local
Users From /etc/passwd
ansible.builtin.getent:
database: passwd
split: ':'
tags: